Sophos Malware Remediation Toolkit (SMaRT)

This article provides information on SMaRT - a process that can be used when you have problems detecting or cleaning up malware, or a computer becomes reinfected after successful cleanup.

Applies to the following Sophos product(s) and version(s)

Not product specific

1. Understanding SMaRT

What is SMaRT?

SMaRT provides a systematic process which allows you to deal with malware from the time you initially suspect or discover its presence, through to its removal. This process can be implemented by using the step-through Interactive Guide or by working through the downloadable PDF User Guide. Links to these are provided below.

Both SMaRT guides demonstrate the processes and tools needed to remove resistant malware. It advises on which tools should be used, under what circumstances, and how best to use them.

Note: SMaRT is designed to be used with Windows 2000 and above.

When to use SMaRT

The SMaRT process should be used under any of the following circumstances:

A scan has alerted you to the presence of malware on your system. You have attempted to clean it up, but were unsuccessful. For example, this may be due to the fact that the system is reinfecting itself. SMaRT helps you to track down and deal with these situations

You believe you may have malware on your system, but are unable to locate it.

Suspicious items have been detected, but you are not clear as to whether they are actually malware.

How does SMaRT work?

By using series of questions, presented in a precise order, the SMaRT process advises when to use any of the specialized tools which are listed in the table below.

A guide for network administrators:

Download the tools

The table below allows quick access to all of the tools used by SMaRT. There are direct links to tools themselves but we recommend you read the associated KB article first to familiarize yourself with how the tool works.

Tool

Download link

KB article

Source of Infection Tool (SOI) Used to identify where persistent malware originates. This can be either a network location or a local process.